Notifiable Data Breach Response for Australian SMBs Hit by Ransomware: From “We’re Encrypted” to OAIC Submission Without the Spiral

It is Tuesday morning. Your file server is showing a ransom note, half your staff cannot open anything on the shared drive, and someone from the attacker group has emailed your generic inbox claiming they exfiltrated customer records before they encrypted. You do not yet know what they took, you do not know if it is an “eligible data breach” under the Privacy Act, and you have a 30-day clock that probably already started. Notifiable Data Breach Response from Cyber by Exegesis is the engagement that walks an Australian SMB through the OAIC scheme — assessment, determination, notification — in the days after a ransomware incident.

The problem

Ransomware is now the top SMB cyber loss category in Australia by impact, and the modern variant is rarely just encryption — it is double-extortion, where the attacker exfiltrates data first and threatens publication. The moment exfiltration is plausible, the OAIC Notifiable Data Breaches scheme is in scope: under Part IIIC of the Privacy Act 1988, an organisation that suspects an eligible data breach has 30 days to carry out a reasonable and expeditious assessment, and if the breach is confirmed eligible, must notify both the OAIC and the affected individuals.

Most SMBs are doing this for the first time, under pressure, while also trying to restore from backups. The questions stack up fast: what counts as “serious harm”? What goes in the statement to OAIC? Do we tell every customer or only the ones whose data was actually in the affected dataset? Can we say “we don’t know yet” in a notification? Getting the assessment wrong in either direction — over-notifying and triggering avoidable reputational damage, or under-notifying and breaching the scheme — is the failure mode this engagement exists to prevent.

What Notifiable Data Breach Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement focused on the OAIC NDB workflow specifically:

• A scope assessment of what data was on the affected systems, what the attacker plausibly accessed or exfiltrated, and which categories of personal information are implicated.
• An eligible-data-breach determination against the OAIC criteria — unauthorised access or disclosure, and likelihood of serious harm — documented in writing so your decision is defensible later.
• Drafting of the notification statement to the OAIC, including the prescribed content elements, and drafting of the affected-individual notification (email and where required, alternative channels).
• Submission support for the OAIC notification form and a register entry your organisation can keep as evidence of the assessment process.
• A short written hand-off pack so your insurer, lawyer, and board have one consistent factual record.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is NDB response only. We do not negotiate with ransomware actors, we do not perform forensic imaging, and we do not restore your systems — we coordinate with whoever is doing that work and translate it into the OAIC workflow.

How it works

1. We take an intake call within one business day of waitlist activation, confirm the incident timeline, and identify the personal information categories that may have been affected.
2. We work with your IT provider or incident responder to establish what data was on the encrypted or exfiltrated systems, and document the basis for that conclusion.
3. We run the eligible-data-breach determination against the OAIC criteria and produce a written assessment — including the case where the breach is not eligible and notification is not required.
4. If notification is required, we draft both the OAIC statement and the affected-individual communication, and walk you through submission.
5. We hand off a written pack covering the assessment, the notifications sent, and the open items your organisation should track over the following 90 days.

Why this matters in Australia

The NDB scheme applies nationally to any Australian organisation covered by the Privacy Act — most SMBs over $3M turnover, plus health service providers, credit providers, and TFN recipients regardless of size. Ransomware does not care which state you are in, but the scheme does care about the 30-day clock. An Australian SMB that gets a ransom note on a Tuesday and starts the NDB assessment that same week is in a very different legal position from one that waits three weeks hoping the backups will come back cleanly. Cyber by Exegesis runs this engagement so the OAIC workflow happens in parallel with your recovery, not after it.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Australian SMBs

We sequence NDB engagements by urgency — active incidents go to the front. Join the waitlist with your sector, approximate headcount, and whether you are currently in an active incident; we will respond within one business day.